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Novell Client for Linux 1.2 Administration Guide 


About This Guide 


This guide describes how to configure the Novell® Client'M for Linux software. 


Chapter 1, “What’s New,” on page 9 


Chapter 2, "Understanding the Novell Client for Linux," on page 11 


Chapter 3, “Configuring the Novell Client for Linux," on page 15 


Chapter 4, "Managing Login," on page 25 


Chapter 5, "Managing File Security," on page 31 


Chapter 6, "Security Considerations," on page 37 


Appendix A, *Compiling the Novell Client Virtual File System Kernel Module," on page 43 


Appendix B, “The Novell Client for Linux Commands," on page 47 


Appendix C, “Documentation Updates," on page 51 


Audience 


This guide is intended for network administrators. 


Feedback 


We want to hear your comments and suggestions about this manual and the other documentation 
included with this product. Please use the User Comments feature at the bottom of each page of the 
online documentation, or go to www.novell.com/documentation/feedback.html and enter your 
comments there. 


Documentation Updates 


For the latest version of this documentation, see the Novell Client online documentation (http:// 
www.novell.com/documentation/linux client/index.html) Web site. 


Additional Documentation 


For information on installing the Novell Client for Linux, see the “Novell Client for Linux 1.2 
Installation Quick Start" 


For information on the Novell Client tray application, see the Novell Client for Linux 1.2 User 
Guide. 


For information on login scripts, see the Novell Login Scripts Guide. 


Documentation Conventions 


In this documentation, a greater-than symbol (>) is used to separate actions within a step and items 
within a cross-reference path. 


A trademark symbol @, TM. etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party 
trademark. 
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What's New 


The following are new features added to the Novell® Client'M for Linux 1.2: 
* The ability to edit login scripts from an option on the 4 tray application menu. 


User authentication and access control are enforced (that is, users must be logged in to edit 
their personal login scripts). eDirectory™ access control is enforced as well, which is useful 
when administrators do not want their users to be able to edit their personal login scripts. An 
administrator can also configure the Novell Client for Linux to disallow the Edit Login Script 
option so it is not displayed on the on the gi tray application menu. 


For more information, see “Editing Your Login Script" in the Novell Client for Linux User 
Guide. 


* An integrated login feature that allows login profiles to be stored for use by subsequent 
network login operations. 


This functionality makes use of CASA (Common Authentication Services Adapter) for 
persistent storage of credentials for a given realm. The overall concept is that if the Novell 
Client for Linux 1.2 or later and CASA 1.6 or later are installed on the workstation, users can 
have their eDirectory connections, login scripts, and startup drive mappings run when they 
initially log in to the workstation. This authentication does not replace the workstation login; it 
currently just augments it with eDirectory functionality. 


Users must run the normal Novell Login from the B tray application menu and save their 
Novell Login settings. After saving the Novell Login settings, the next time the same user logs 
in to the workstation, eDirectory authentication 1s automatic and the user's login script runs at 
startup. 


For more information, see Section 4.1, “Setting Up Integrated Login,” on page 25. 


What's New 9 
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Understanding the Novell Client 
for Linux 


The Novell® Client'M for Linux' software allows users of Linux workstations to access and use all 
of the services available on servers running Novell eDirectory™. The Novell Client brings the full 
power, ease of use, manageabilitv, and securitv of eDirectorv to Linux workstations. The Novell 
Client for Linux fullv supports NetWare®, OES, and eDirectory services and utilities on a Linux 
workstation, including security, file, and print services through Novell iPrint. 


This section contains the following information: 


* Section 2.1, “Understanding How the Novell Client for Linux Differs from the Novell Client 
for Windows 2000/XP,” on page 11 


* Section 2.2, “Understanding the Novell Client for Linux Virtual File System,” on page 12 


2.1 Understanding How the Novell Client for 
Linux Differs from the Novell Client for Windows 
2000/XP 


Using the Novell Client for Linux differs in a few ways from using the Novell Client for Windows'. 
For users and network administrators who are familiar with the Novell Client for Windows, 
knowing these differences can help the transition to Linux run more smoothly. 


Installation and Upgrades 
* The Novell Client for Linux can be installed and upgraded using either YaST or an installation 
script. For more information, see the “Novell Client for Linux 1.2 Installation Quick Start” 
* There is no Automatic Client Upgrade available on Linux. 


* The Client Configuration Wizard lets you set up a configuration file that can be used to 
preconfigure workstations during installation. For more information, see Section 3.2, “Using 
Configuration Files to Preconfigure the Novell Client,” on page 22. 


Logging In 


* When a user logs in to a local workstation and then opens a remote SSH session and logs in as 
the same user, the network resources that user has rights to are available to the user. 


The Novell Client for Linux can use the NMAS'M login method to authenticate. However, the 
NMAS login is not integrated in to the Novell Client for Linux login screen, so the default 
login sequence cannot be set in the Novell Client Login screen. 


The Novell Client for Linux uses OpenSLP, whereas the Novell Client for Windows uses 
Novell’s implementation of SLP. The network administrator must set up OpenSLP before users 
can look up trees, contexts, and servers using the Browse buttons in the Novell Client Login 
window. If OpenSLP is not set up, the user must enter a username, tree, and context to connect 
to the network. See Chapter 4, “Managing Login,” on page 25 for more information. 
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Because Linux uses OpenSLP, the implementation is different and the user's experience is 
different. For more information, see Section 4.4, “Using OpenSLP to Simplify Login,” on 
page 29. 


* The Novell Client for Linux does not use the Dynamic Local User or Location Profiles that are 
available in Windows. 


User Interface 


Both a graphical user interface and command line utilities are available to complete client actions 
such as mapping drives, setting trustee rights, and copving files. 


Login Scripts 


Novell has ported the vast majoritv of login script functionalitv to the Linux platform. This means 
that the login scripts vou create in vour network can be used for both Windows users and Linux 
users with verv little difference in functionalitv. 


Some differences do exist, however. For example, mapped drives are implemented bv creating 
svmbolic links and search drives are not available on Linux. Other small differences are created bv 
the inherent difference between Windows and Linux. All the differences and issues are listed in the 
Novell Login Scripts Guide. 


2.2 Understanding the Novell Client for Linux 
Virtual File Svstem 


The Novell Client for Linux differs from previous Novell Clients to enable it to work on the Linux 
platform. In Windows, the Novell Client loads a single binarv that works on multiple operating 
svstem platforms without modifications. The Novell Client for Linux has a Virtual File Svstem that 
consists of a kernel module (nov£s . ko) that runs as part of the Linux kernel and a daemon 
(nov f sd) that runs in the user space. Both components must be running on the workstation for the 
client to connect to the network. 


The daemon can run on any of the supported Linux platforms without modification. The kernel 
module, however, is dependent on the kernel version and must be compiled to match the kernel on 
the workstation. When the Novell Client is installed, it compiles the kernel module during the 
installation process. If this process fails, the kernel module cannot load. It attempts to recompile 
when the workstation is restarted. 


2.2.1 Understanding When the Virtual File System Kernel 
Module Needs to Be Compiled 


The following is a list of the instances when you must compile the Novell Client Virtual File System 
Kernel Module (novfs . ko): 


* You installed the Novell Client and received an error message. This generally occurs because 
all the required packages are not installed on a workstation. You must install these packages, 
compile the Novell Client Virtual File System Kernel Module (nov£s . ko), and restart the 
workstation. See “System Requirements" in the Novell Client for Linux Installation Quick Start 
for more information. 


* You have previously compiled the Novell Client Virtual File System Kernel Module 
(novfs.ko) and then made changes to the kernel. 
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* You have a custom kernel of any of the supported versions. 


* Kernel updates are automatically pushed to the workstation via Red Carpet®. 


In all of these instances, you must recompile the Novell Client Virtual File System Kernel Module 
(novfs. ko) to ensure that it is compatible with the Linux kernel version on your workstation. 
However, when later shipping versions of SLED are provided by Novell, the Novell Client Virtual 
File System Kernel Module (nov£s . ko) is installed and you do not need to recompile it because 
the module is included in the kernel. 


For more information, see Appendix A, “Compiling the Novell Client Virtual File System Kernel 
Module,” on page 43. 


NOTE: If you patch the kernel for any reason, you must make sure that you have the required 
packages that correspond to the kernel patch. For a list of the required packages, see “System 
Requirements” in the Novell Client for Linux Installation Quick Start. The Novell Client for Linux 
then recompiles when the workstation is restarted. Without the corresponding packages, the 
recompile fails. 


Under certain conditions, your version of novfs. ko could be rolled back when you install a new 
kernel module. For example, if you download and install a patched version of novfs . ko, and then 
later install an SLED 10 update to your kernel, the Novell Client Virtual File System Kernel Module 
patch might be overwritten. You should then reinstall the novfs.ko patch and recompile the 
kernel in order to ensure that the kernel module and the kernel are compiled. 


Understanding the Novell Client for Linux 
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Configuring the Novell Client for 
Linux 


This section explains two wavs that vou can configure the Novell® Client" for Linux settings on a 
workstation. Both methods let you configure the file browser, protocol, login, tray application, and 
SLP configuration settings available to Novell Client users. 


* Using the Novell Client Configuration Wizard (page 15) 
* Using Configuration Files to Preconfigure the Novell Client (page 22) 


3.1 Using the Novell Client Configuration Wizard 


The Novell Client for Linux includes a Novell Client Configuration Wizard to simplify the process 
of configuring your Novell Client. 


1 Launch the Novell Client Configuration Wizard using either of the following methods: 
* [n the Novell Client tray application, click System Settings. 
e [n YaST, click Network Services > Novell Client. 


2 Select the Client Configuration Wizard pages that contain the settings you want to configure. 
YaST2@linux-5Scf9.site 


Novell Client * Novell Client Configuration Wizard 
Configuration Wizard 


Page Selection 
Select the wizard pages you 
want to use configure the — Novell Client Configuration Wizard Pages 


Novell Client. 
Login 


x 

After you have selected the 
x 

wizard pages you want, select 

the Start Wizard button to % Protocol 
x 
x 
x 


Map 


continue Tray Application 


File Browser 


Save Configuration Service Location Protocol (OpenSLP) 


Changes: 

When you have finished the 
Novell Client Configuration 
Wizard, select ihe Finish 
bution to save your changes. 


You can configure the following settings: 
* Login 
* Map 
* Protocol 


* Tray Application 
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* File Browser 
* Service Location Protocol (OpenSLP) 
3 Click Start Wizard. 
4 Follow the instructions in the left panel to configure Novell Client settings. 
5 Click Finish. 
6 Restart the workstation to ensure that the settings take effect. 
7 Ifyou made changes to the Protocol Settings page or the Service Location Protocol (OpenSLP) 


Settings page, reboot the machine for those changes to take effect. 


Any changes you make to the Novell Client settings are written to a set of configuration (. conf) 
files in the /etc/opt/novell/ncl directory. These files are then used by the Novell Client. 


IMPORTANT: When the Novell Client software is uninstalled, these settings are not saved. 


3.1.1 Configuring Login Settings 


Use the Login Settings page in the Novell Client Configuration Wizard to configure the settings 
available to users in the Novell Login dialog box. 


Figure 3-1 Login Settings Page 
YaST2@linux-Scf9 site 


| Login Settings M Login Settings 


Advanced Button: 
Enable or disable the [X] Advanced Bution 


| Advanced Button on the XI NMAS Authentication 
Login dialog 


NMAS Authentication: E r Integrated Login 
Enable or disable Novell X! Integrated Login 
| Medular Authentication X! Display Integrated Login Results 


Services (NMAS) during See E Sz NETS 
login. NMAS " Delete Integrated Login Profiles l 


authentication adds 
additional security to the 
network. However, if the 
network does not use Default Tree 
NMAS, login may take 
additional time 


—Login Defaults 


Default Context 
Integrated Login: 
Enable or disable 

| Integrated Login. Each 
user will need to save an 


This page contains the following options: 


e Advanced Button: Enables or disables the Advanced button in the Login dialog box. This 
option is selected by default. 


* NMAS Authentication: Enables or disables Novell Modular Authentication Services 
(NMAS™) during login. NMAS authentication can add additional security to the network, but 
if the network does not use NMAS, login might take additional time, so you can disable NMAS 
authentication by disabling this setting. This option is selected by default. 
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* Integrated Login: Enables the integrated login feature for the entire system. This is set by the 
administrator and cannot be overridden by the user. 


* Display Integrated Login Results: When this option is disabled, all login scripts are run 
silently and the script results window is not displayed, but login scripts are still processed. 


* Delete Integrated Login Profiles: Removes the existing login profiles for all users on this 
workstation. 


* Default Tree: Specify the default tree that Login attempts to log in to. This setting is 
overridden by the Login Dialog Tree history. 


* Default Context: Specify the default context that Login attempts to log in to. This setting is 
overridden by the Login Dialog Context history. 


For more information on using the Novell Login dialog box, see *Logging In to the Network" in the 


Novell Client for Linux User Guide. 


3.1.2 Configuring Map Settings 


Use the Map Settings page in the Novell Client Configuration Wizard to specify the directory on the 
local workstation where symbolic links to network resources are created and to select the first letter 
to use when creating these links. 


Figure 3-2 Map Settings Page 


YaST2@linux-Scf9 site 


Map Settings “i Map Settings 


Map Link Default 
Location: —Map Defaults 
This is the path to the Map Link Default Location 
directory where Map will 
creat symbolic links to 
network resources. A value 
of % HOME will cause 
Map to creat symbolic First Network Drive 
links in the users home B m 
directory 


% HOME 


First Network Drive: 

This is the first letter that 
Map will use to create 
symbolic links to network 
resources. This setling is 
used in commands such a 
Map *1 or Map next 


This page contains the following options: 


* Map Link Default Location: Specify the path to the directory where Map creates symbolic 
links to network resources. A value of HOME (the default) causes Map to create symbolic 
links in the user's home directory. 


* First Network Drive: Select the first letter for Map to use when creating symbolic links to 
network resources. This setting is used in commands sucha Map *10rMap next. 
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3.1.3 Configuring Protocol Settings 


Use the Protocol Settings page in the Novell Client Configuration Wizard to determine the level of 
enhanced security support, select the providers to perform name resolution, and enable the Client to 
obtain configuration information from vour DHCP server. 


Figure 3-3 Protocol Settings Page 


Protocol Settings 


Name Resolution 
Providers: 

List of providers that will 
perform name resolution 
Domain Name Systm 
also utilizes the host file 
NefWare Core Protocol 

| utilizes information 
contained in the active 
NCP connections. 

Service Location Protocol 
queries SLP for eDirectory 
and Bindery names 


NCP Signature Level: 
Determines the level of 


— Security 
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M Protocol Settings 


— Name Resolution 


Name Resolution Providers 


E] Domain Name System (DNS) 
El NefWare Core Protocol (NCP) 
El Service Location Protocol (SLP) 


NCP Signature Level: (0-3) 


1 


— Dynamic Host Configuration Protocol (DHCP) 
| Tree 


enhanced security Context 

support. Enhanced Server 

security includes the use of (7 
| a message digest 


mlamrithm and a rer 


This page contains the following options: 


* Name Resolution Providers: Select the providers to perform name resolution. Domain Name 
System also uses the /etc/hosts file. NetWare® Core Protocol" uses information 
contained in the active NCP™ connections. Service Location Protocol queries SLP for 
eDirectory™ and Bindery names. 


* NCP Signature Level: Specify the level of enhanced security support. Enhanced security 
includes the use of a message digest algorithm and a per connection/per request session state. 
The values are as follows: 
0=Disabled1=Enabled but not preferred2=Preferred3=Required 
Changing the value of this setting to 2 or 3 increases security but decreases performance. 


* Dynamic Host Configuration Protocol (DHCP): If a DHCP server is set up on your network, 
the DHCP server can inform the Novell Client of network-specific configuration information. 
This information is made available when a user click the Tree, Context, or Server buttons on 
the eDirectory tab of the Novell Login dialog box. 


If you make changes to the Protocol Settings page, you must reboot the workstation for those 
changes to take effect. 
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3.1.4 Configuring Trav Application Settings 


Use the Trav Application Settings page in the Novell Client Configuration Wizard to automaticallv 
launch the Novell Client Trav Application when the desktop starts and to determine which options 
are available to users on the Trav Application menu. 


Figure 3-4 Tray Application Settings Page 
VaST2Qlinux-Scf9.site 


| Tray Application | wi Tray Application Settings 
| Settings 


Launch Tray Application: IX) Launch Tray Application 
| Automatically launch the 
Novell Client Tray 
| Application Tray Application Menu Options: 


| Novell Login 


| Tray Application Menu 
Options: 
Enable or disable the 

| particular option on the Tray 


| Novell Logout 

| Novell Connections 
| Change Password 

| Application menu | Novell Map Directory 


| Disconneci Novell Mapped Directory 


X x x x x x x 


After you have made the | Novell Utilities 


desired changes to the Tray 
Application Settings, select the 
Next bution to continue 


x 


| User Administration 

X User Preferences 

X System Settings 

X Novell Client for Linux Documentation 


This page contains the following options: 


* Launch Tray Application: Select this option to automatically launch the Novell Client Tray 
Application. 

* Tray Application Menu Options: Enables or disables the options available to users on the 
Tray Application menu. 


For more information, see “Using the Novell Client Tray Application" in the Novell Client.for Linux 
User Guide. 


3.1.5 Configuring File Browser Settings 


Use the File Browser Settings page in the Novell Client Configuration Wizard to specify which 
Novell Client options are available to users when they right-click Novell file system directories or 
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files in a file manager, and which tabs are available on the Novell File, Folder, and Volume 


Properties pages. 


Figure 3-5 File Browser Settings Page 


File Browser Settings ^. 


Navigation Panel Icon: 
Enable or disable the File 
Browser Navigation Panel 
Icon. This icon is 
displayed only in the KDE 
desktop. 


| Novell Properties: 
Enable or disable the 
Novell Properties right 
click menu option 


Purge Novell Files: 
Enable or disable the 
Purge Novell Files right 
click menu option 


Salvage Novell Files: 
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Wi File Browser Settings 


File Browser 
x! Navigation Panel Icon (KDE only) 


Right Click Menu Options 
% Novell Properties 
X! Purge Novell Files 
X Salvage Novell Files 


File and Folder Properties Tabs 
X File and Folder Information 


X! Novell Rights 


Volume Properties Tabs: 


Enable or disable the 
Salvage Novell Files right E 
| click menu option 


X Volume Information 
+ X! Volume Statistics 


This page contains the following options: 


Navigation Panel Icon (KDE only): Enables or disables the File Browser Navigation Panel 
icon. This icon is displayed only in KDE. 


Novell Properties: Enables or disables the Novell Properties menu option when users right- 
click a Novell file system directory or file in a file manager. 


Purge Novell Files: Enables or disables the Purge Novell Files menu option when users right- 
click a Novell file system directory or file in a file manager. 


Salvage Novell Files: Enables or disables the Salvage Novell Files menu option when users 
right-click a Novell file system directory or file in a file manager. 


File and Folder Information: Enables or disables the File Information and Folder 
Information tabs on the File and Folder Properties pages (available when users right-click a 
Novell file system directory or file in a file manager and then click Novell Properties). 


Novell Rights: Enables or disables the Novell Rights tab on the File and Folder Properties 
pages (available when users right-click a Novell file system directory or file in a file manager 
and then click Novell Properties). 


Volume Information: Enables or disables the Volume Information tab on the Volume 
Properties page (available when users right-click a Novell file system volume in a file manager 
and then click Novell Properties). 


Volume Statistics: Enables or disables the Volume Statistics tab on the Volume Properties page 
(available when users right-click a Novell file system volume in a file manager and then click 
Novell Properties). 
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3.1.6 Configuring OpenSLP Settings 


Use the Service Location Protocol (OpenSLP) Settings page in the Novell Client Configuration 
Wizard to specifv where and how the Client requests network services. 


In an IP-only network, the Novell Client needs a way to resolve the eDirectory tree, context and 
server names to an actual IP address of an eDirectory server that can provide authentication. On a 
simple LAN, the client can send an IP broadcast to discover this information, but on a multisite 
WAN, the SLP scope and Directory Agents must be listed. 


Figure 3-6 Service Location Protocol (OpenSLP) Settings Page 
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Service Location ^ M Service Location Protocol (OpenSLP) Settings 
Protocol (OpenSLP) 
Settings 


Scope List (example: mvScopel, myScope2, myScope3) 
ScopeList: 
A list indicating the only 
scopes a UA or SA is 
allowed when making 
request or registering or 
ihe scopes a DA must 
support 


Directory Agent List (example: myDa1,myDa2,myDa3) 


Directory Agent List: 
Force UA and SA agents 
to use specific DAs. If this 
setting is not used Maximum Results: (1-65,000) 
dynamic DA discovery 
will be used to determine 
which DAs to use 


Broadcast Only 


255 


Broadcast Only: 
Force broadcasts to be 
Head inctaad ef mulicsct 


This page contains the following options: 


* Scope List: Specify the scopes that a user agent (UA) or service agent (SA) is allowed when 
making requests or registering, or the scopes that a directory agent (DA) must support. 


* Directory Agent List: Specify the specific DAs that UA and SA agents must use. If this 
setting is not used, dynamic DA discovery is used to determine which DAs to use. 


* Broadcast Only: Select this option to use broadcasting instead of multicasting. This setting is 
not usually necessary because OpenSLP automatically uses broadcasting if multicasting is 
unavailable. 


SLP is designed to use IP multicasting; however, if any SLP Agent does not implement IP 
multicasting, then all Agents must use broadcasting to reach that Agent. If a DA does not 
support multicasting, we recommend using the Directory Agent List to configure that Directory 
Agent rather than using this option. 


If the network does not contain a DA, IP servers must use their own SAs to specify the services 
that are available. If the SA does not support multicasting and if there are any services 
advertised by that SA that are needed by the UA on this machine, then use the Broadcast Only 
option. 


Broadcasting has the disadvantage of being limited to the local LAN segment. 
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e Maximum Results: Specifv a 32-bit integer giving the maximum number of results to 
accumulate and return for a synchronous request before the time-out, or the maximum number 
of results to return through a callback if the request results are reported asvnchronousiv. 


If you make changes to the Service Location Protocol (OpenSLP) Settings page, you must reboot 
the workstation for those changes to take effect. 


For more information, see Section 4.4, “Using OpenSLP to Simplify Login,” on page 29, SLP 
Fundamentals (http://www.novell.com/documentation/edir873/qsedir873/data/aksciti.html), and the 
OpenSLP (http://www.openslp.com) Web site. 


3.2 Using Configuration Files to Preconfigure 
the Novell Client 


The Novell Client for Linux allows you to apply preconfigured client settings contained in one or 
more configuration (. conf) files. This option works similar to the unattend file that can be used to 
configure the Novell Client for Windows (see Creating the Configuring File (http:// 
www.novell.com/documentation/noclienu/noclienu/data/bu0 1 sei.html#hn62kppa) in the Novell 
Client for Windows Installation and Administration Guide for more information). 


Preconfiguring the Novell Client for Linux requires the novell-client-conf.spec file and 
themake novell-client-conf rpm Bash script located in the /add-on/novell- 
client-conf subdirectorv in the directorv where vou unarchived the Client download file. 


1 Create the preconfigured settings using the Novell Client Configuration Wizard. 


See Section 3.1, “Using the Novell Client Configuration Wizard,” on page 15. 
2 Copy the appropriate . conf files to the /add-on/novell-client-conf directory. 


Depending on the settings you preconfigured, copy one or more of the following files: 


Conf File Path and Name Configuration Settings 


/etc/opt/novell/ncl/file browser.conf File browser settings 
/etc/opt/novell/ncl/login.conf Login settings 
/etc/novell/ncl/map.conf Map settings 
/etc/opt/novell/ncl/protocol.conf Protocol settings 
/etc/opt/novell/ncl/tray app.conf Novell Client Tray Application settings 
/etc/slp.conf SLP configuration settings 


3 Run he make novell-client-conf rpm script to create anovell-client-conf- 
version number.platform. rpm file (for example, novell-client-conf- 
1.0.0-0.1586. rpm) using all ofthe . conf files contained in the /add-on/novell- 
client-conf directory. 


3a Make sure you are the root user. 
3b Enter the following in a terminal: 


bash make novell-client-conf rpm 
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4. Install the preconfigured settings contained in novell-client-conf- 
version number. platform. rpm using one of the following methods: 


e Install manually in a terminal: Enter rom -i novell-client-conf- 
version number.platform. rpm in a terminal. 


e Install using the nel install script: When you launch thencl install script (located 
in /opt/novell/ncl/bin or in the directory where you unarchived the Client 
download file), it looks for novell-client-conf- 
version number.platform.rpminthe /add-on/novell-client-conf 
directory and adds it to the list of RPMs it installs as part of the Client. 


* Install with the Novell Client using VaST: Add the location of the newly created 
novell-client-conf-version number.platform. rpm to the list of 
installation sources in VaST (add a local directorv in the Installation Source option and 
point it to the directorv containing novell-client-conf- 
version number.platform. rpm). When the YaST install runs, novell- 
client-conf-version number.platform. rpm is added as one of the RPMs in 
the Novell Client selection. 


The Novell Client configuration settings on a workstation can be updated at anv time 
using the VaST method. 


The . conf files contained in the RPM are copied to the /etc/opt/novell/ncl 
directory, overwriting the files of the same name that already exist there. The installation then 
copies the s1p. conf file to the /etc directory, overwriting that file as well. 


TIP: Backup copies of the existing files are made in the same directory so that you can revert 
to the old files if you need to. 
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Managing Login 


You can customize the client login environment with the following tasks to suit your network and 
have greater control over what users can access during login: 

* Section 4.1, "Setting Up Integrated Login," on page 25 

* Section 4.2, "Setting Up Login Scripts," on page 28 

* Section 4.3, "Setting Up Login Restrictions," on page 28 

* Section 4.4, “Using OpenSLP to Simplify Login," on page 29 


For more information, see “Logging In to the Network" and “Logging Out of a Network Location 
(Server or Tree)" in the Novell Client for Linux User Guide. 


4.1 Setting Up Integrated Login 


The Novell? Client" for Linux 1.2 provides a single, synchronized login to the SUSE? Linux 
desktop and the NetWare? network. Users enter their name and password only once to access all the 
resources they are authorized to use. 


IMPORTANT: The integrated login feature is not available if you log in as the root user, and the 
integrated login feature does not work if a workstation is set up to not ask for a password in the 
display manager greeter. 


For integrated login to work, the Novell Common Authentication Services Adapter (CASA) must be 
installed and enabled. CASA is a common authentication and security package that provides a set of 
libraries for application and service developers to enable single sign-on to an enterprise network. 


4.1.1 Installing and Enabling CASA 


CASA is installed by default with SLED 10, but it is not enabled. CASA is not installed or enabled 
by default with SUSE Linux 10.1. 


Installing CASA 
1 Launch the YaST Control Center. 
SLED 10 GNOME: Click Computer > More Applications > YaST Control Center. 
SUSE Linux 10.1 GNOME: Click Desktop > YaST. 


KDE: Click the menu button > System > YaST (Control Center). 

If you are not logged in as root, type the root password, then click Continue. 

Click Software in the left column, then click Software Management in the right column. 
Click Search in the Filter drop-down list. 

Type casa in the Search field, then click Search. 


aoa Fk W ND 


Select the casa packages for installation. 
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7 Click Accept to install all of the selected packages. 
YaST displays the progress of the package installation. 


8 (Conditional) If a message informs you that other package selections have been made to 
resolve dependencies, click Continue. 


9 (Conditional) If a message prompts you to insert a SUSE Linux CD, put the CD in the CD 
drive, then click OK. 


10 After all the packages have been installed, click Close to close the YaST Control Center. 


Enabling CASA 
1 Launch the YaST Control Center. 
SLED 10 GNOME: Click Computer > More Applications > YaST Control Center. 
SUSE Linux 10.1 GNOME: Click Desktop > YaST. 


KDE: Click the menu button > System > YaST (Control Center). 
2 Click Security and Users in the left column, then click CASA in the right column. 
3 Click Configure CASA, then click OK. 
4 Click Finish to close the CASA Configuration Wizard. 


4.1.2 Configuring Integrated Login 


1 Use one of the following methods to open the Novell Login dialog box: 
+ Click > Novell Login. 
e SLED 10 GNOME: Click Computer > More Applications > Novell Login. 
e SUSE Linux 10.1 GNOME: Click Applications > Applications > Novell Login. 
* KDE: Click the menu button > Applications > Novell Login. 
2 Enter your username and password, then click Advanced. 


3 Specify the tree, context, and server information for the server you want to connect to. 
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4. Click the Startup tab, then select Run Novell Client Login at Session Startup. 


Novell Login 


User Name: |user123 


EE 
| eDirectory | Script Startup 


Integrated Novell Client Login at Startup 


(XI Run Novell Client Login at Session Startup 


Integrated Login Profile to use at startup 
lwd Save Profile after the succesful login 


Load Profile Clear Profile 


5 Select Save Profile after the successful login to save the Novell Login dialog settings to be used 
for all subsequent session logins. 


You must have the User Name and Password fields and the Tree and Context fields on the 
eDirectory tab filled out for this to be saved. 


IMPORTANT: An integrated login does not happen at the next session startup without a saved 
profile. 


o 


(Optional) Click Load Profile to populate all fields in the dialog based on the saved settings. 


N 


(Optional) Click Clear Profile to remove the profile settings. 


© 


Click OK to log in to the server specified in Step 3. 


4.1.3 Managing System Wide Integrated Login Settings 


1 Launch the Novell Client Configuration Wizard using either of the following methods: 
: Click Ù > System Settings. 
e In VaST, click Network Services > Novell Client. 

2 Select Login, then click Start Wizard. 

3 On the Login Settings page, select or deselect Integrated Login. 


This enables or disables the integrated login feature for the entire system. This is set by the 
administrator and cannot be overridden by the user. 


4 Select Display Integrated Login Results to display the Integrated Login Script Results window 
when the user desktop is launched. 
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If this option is disabled, all login scripts are run silentiv and the Integrated Login Script 
Results window is not displayed, but login scripts are still processed. 


5 Select Delete Integrated Login Profiles if vou want remove the existing login profiles for all 
users on this workstation. 


6 Click Finish. 


4.2 Setting Up Login Scripts 


When a user successfully logs in to the network, one or more login scripts are executed that 
automaticallv set up the workstation environment. Login scripts are similar to batch files and are 
executed bv Novell Login. Xou can use login scripts to map drives to Novell file svstem volumes 
and directories, displav messages, set environment variables, and execute programs or menus. 


Login scripts were originallv created for use with the Novell Client for Windows. However, the 
Novell Client for Linux can take advantage of the majoritv of the functionalitv available in 
Windows. This means that the login scripts vou created for Windows workstations can also be used 
with Linux workstations without modification, so you need to administer only one set of login 
scripts. 


Because login scripts are very flexible and dynamic, offer a high degree of customization, and are 
cross-platform, you should customize the scripts to optimize workstation login to your network. For 
more information on setting up login scripts, see the Novell Login Scripts Guide. 


4.3 Setting Up Login Restrictions 


Login restrictions are limitations on user accounts that control access to the network. These 
restrictions can be set by an administrator in Novell iManager for each user's eDirectory™ User 
object and include the following: 


e Requiring a password 
You can specify its minimum length, whether it must be changed and how often, whether it 
must be unique, and whether the user can change it. 


* Setting the number of logins with an expired password and the number of incorrect login 
attempts allowed 


When a user violates login restrictions by entering an incorrect password or exceeding the 
number of logins with an expired password, the account is disabled and no one can log in using 
that username. This prevents unauthorized users from logging in. 


* Setting account limits such as an account balance or expiration date 


* Limiting disk space for each user by specifying the maximum blocks available for each user on 
a volume 


* Specifying the number of simultaneous connections a user can have 
* Specifying (by node address) which workstations users can log in on 
* Restricting the times when users can log in (you can assign all users the same hours or you can 


restrict users individually) 


For specific information on setting these restrictions, see the online help located in Novell iManager. 
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4.4 Using OpenSLP to Simplify Login 


The service location protocol (SLP) was developed so that networking applications such as the 
Novell Client for Linux could discover the existence, location, and configuration of networked 
services in enterprise networks. Without SLP, users must supplv the hostname or network address of 
the service that thev want to access. 


Because SLP makes the existence, location, and configuration of certain services known to all 
clients in the local network, the Novell Client for Linux can use the information distributed to 
simplifv login. For the Novell Client, having SLP set up allows users to see the trees, contexts, and 
servers available to them when thev use the Novell Client for Linux Login screen. When thev click 
the Browse button, a list of available trees, contexts, or servers appears and thev can select the 
appropriate ones. For example, instead of remembering an IP address or DNS name for a server, 
users can select the server's name from a list of available servers. 


SLP must be activated and set up on vour Novell servers in order for the Novell Client to take 
advantage of it. For more information, see “SLP Services in the Network” in the SUSE LINUX 
Enterprise Server 9 Administration Guide (http://www.novell.com/documentation/oes/ 
index.html?page=/documentation/oes/sles_admin/data/sec-net-slp.html#sec-net-slp). 


SLP is not set up by default on Linux workstations. The Novell Client for Linux includes a Novell 
Client Configuration Wizard to simplify the process of configuring your SLP and other Novell 
Client configuration options. The Novell Client Configuration Wizard provides only basic SLP 
configuration because this is all that is required by the client. However, if other applications on your 
workstation require more advanced settings, you can modify the /etc/slp.conf file to set 
advanced settings. 


For more information on advanced SLP configuration, see the OpenSLP Web site (http:// 
www.openslp.org). In addition, the /usr/share/doc/packages/opens1p directory 
contains documentation on SLP, including a README. SuSE file containing the SUSE® LINUX 
details, several RFCs, and two introductory HTML documents (An Introduction to SLP and 
OpenSLP User's Guide). RFC 2609 details the syntax of the service URLs used and RFC 2610 
details DHCP via SLP. 


4.4.1 Setting Up SLP 


1 Launch the Novell Client Configuration Wizard using either of the following methods: 
: Click D > System Settings. 
e In YaST, click Network Services > Novell Client. 

2 Select Service Location Protocol (OpenSLP), then click Start Wizard. 

3 Specify the following SLP information for your network: 


e Scope List: Specify the scopes that a user agent (UA) or service agent (SA) is allowed 
when making requests or registering, or the scopes that a directory agent (DA) must 
support. 


e Directory Agent List: Specify the specific DAs that UA and SA agents must use. If this 
setting is not used, dynamic DA discovery is used to determine which DAs to use. 


e Broadcast Only: Select this option to use broadcasting instead of multicasting. This 
setting is not usually necessary because OpenSLP automatically uses broadcasting if 
multicasting is unavailable. 
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SLP is designed to use IP multicasting; however, if anv SLP Agent does not implement IP 
multicasting, then all Agents must use broadcasting to reach that Agent. If a DA does not 
support multicasting, we recommend using the Directorv Agent List to configure that 
Directorv Agent rather than using this option. 


If the network does not contain a DA, IP servers must use their own SAs to specify the 
services that are available. If the SA does not support multicasting and if there are anv 
services advertised bv that SA that are needed bv the UA on this machine, then use the 
Broadcast Only option. 


Broadcasting has the disadvantage of being limited to the local LAN segment. 


Maximum Results: Specify a 32-bit integer giving the maximum number of results to 
accumulate and return for a synchronous request before the time-out, or the maximum 
number of results to return through a callback if the request results are reported 
asynchronously. 


4 Complete the Novell Client Configuration Wizard. 
5 Restart the workstation. 


4.4.2 Troubleshooting SLP Configuration 


If users cannot see a list of available trees, contexts, and servers when they use the Novell Client for 
Linux Login screen, use slptool, located in /usr/bin, to troubleshoot your SLP configuration. 


After you start s1pd (located in /usr/sbin), you should be able to issue a query for SLP service 
agents using the following command: 


siptool findsrvs service:service-agent 


This should display a list of the hosts that are running s1pd, which indicates that OpenSLP is 
successfully installed and working. If you do not get a list, OpenSLP is not installed correctly or is 
not working. See Section 4.4.1, “Setting Up SLP,” on page 29 for more information. 
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Managing File Securitv 


Novell? Open Enterprise Server (OES) and NetWare® networks restrict access to network files and 
folders based on user accounts. For example, a user connected to the network using the 
Administrator account can delete or rename a file that other users can only open and edit. 


The Novell file system keeps track of the rights that users have to files and directories on the 
network. When users try to access any file on the network, Novell File Services (NFS) either grants 
access or prohibits certain things that users can do with the file. 


It is important to note that Linux file rights do not correlate with NFS file rights. When you copy a 
file from a Linux workstation to a Novell server, the only right that is preserved is the Read-Only 
attribute. This also occurs if you copy files from one server to another using any method other than 
NCOPY at the command terminal. 


For more information on the specific rights on NetWare and OES servers, see “File Services" (http:/ 
/www.novell.com/documentation/oes/implgde/data/filesvcs.html) in the Novell OES Planning and 
Implementation Guide. 


For additional information on file system attributes, see the File Systems Management Guide for 
OES (http://www.novell.com/documentation/oes/stor filesys/data/hnOr5fzo.html). 


Rights are granted and revoked by creating trustee assignments. For more information, see Section 
5.2, “Changing Trustee Rights,” on page 33. 


This section explains the following: 
* Checking File or Folder Rights (page 31) 


* Changing Trustee Rights (page 33) 
* Combining Multiple Trustees (page 34) 


5.1 Checking File or Folder Rights 


1 Ina file manager, right-click a Novell file system directory or file. 
2 Doone of the following: 

* GNOME: Click Novell Properties. 

* KDE: Click Actions > Novell Properties. 


Managing File Security 


31 


3 Click the Novell Rights tab. 


= client linux Properties 


| Folder Information 


Trustees SRWECMFA 
user123, marketing. mycompany im raa aa a a me 


Inherited Rights and filters... 


— Effective Rights 


Read Erase Modifv 


Write Create File Scan 


Cancel 


4 View the information. 


The Trustees list shows the users or groups that have been granted rights to work with this file 
or folder. The trustees rights to the folder also applv to all the files and subfolders it contains 
unless the rights are explicitly redefined at the file or subfolder level. 


The rights that each trustee has are shown by check marks under the letters. If you are viewing 
the properties of multiple files, the trustees and rights shown are the combined trustees and 
rights for all the files. 


Effective Rights displays your rights for this file or folder. Users can receive rights in a number 
of ways, such as explicit trustee assignments, inheritance, and security equivalence (see 
eDirectory Rights Concepts (http://www.novell.com/documentation/edir873/edir873/data/ 
fbachifb.html) in the Novell eDirectory 8.7.3 Administration Guide for more information). 
Rights can also be limited by Inherited Rights Filters and changed or revoked by lower trustee 
assignments. The net result of all these actions—the rights a user can employ—are called 
effective rights. 


oa 


To view a list of rights and filters inherited by this file or directory, click Inherited Rights and 
filters. 


All rights assignments on directories are inheritable. You can block such inheritance on 
individual subordinate items so that the rights aren’t effective on those items, no matter who the 
trustee is. One exception is that the Supervisor right can’ be blocked. 


6 Click OK. 
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5.2 Changing Trustee Rights 


The assignment of rights involves a trustee and a target object. The trustee represents the user or set 
of users that are receiving the authority. The target represents those network resources the users have 
authority over. You must have the Access Control right to change trustee assignments. 


1 Inafile manager, right-click a Novell file svstem directorv or file. 


2 Dooneof the following: 


GNOME: Click Novell Properties. 
KDE: Click Actions > Novell Properties. 


3 Click the Novell Rights tabbed page. 


4 Inthe Trustees list, select the trustee whose rights you want to change. 


5 Select or deselect the rights you want to assign for this trustee. 


For each trustee in the list, there is a set of eight check boxes, one for each right that can be 
assigned. If a check box is selected, the trustee has that right. The following rights can be set 
for each trustee: 


Read: For a directory, grants the right to open files in the directory and read the contents 
or run the programs. For a file, grants the right to open and read the file. 


Write: For a directory, grants the right to open and change the contents of files in the 
directory. For a file, grants the right to open and write to the file. 


Erase: Grants the right to delete the directory or file. 


Create: For a directory, grants the right to create new files and directories in the directory. 
For a file, grants the right to create a file and to salvage a file after it has been deleted. 


Modify: Grants the right to change the attributes or name of the directory or file, but does 
not grant the right to change its contents (changing the contents requires the Write right). 


File Scan: Grants the right to view directory and file names in the file system structure, 
including the directory structure from that file to the root directory. 


Access Control: Grants the right to add and remove trustees for directories and files and 
modify their trustee assignments and Inherited Rights Filters. 


Supervisor: Grants all rights to the directory or file and any subordinate items. The 
Supervisor right can' be blocked by an Inherited Rights Filter. Users with this right can 
grant or deny other users rights to the directory or file. 


6 Click OK. 


Trustee assignments override inherited rights. To change an Inherited Rights Filter, click /nherited 
Rights and filters. 


5.3 Adding a Trustee 


When you add a trustee to a Novell file system directory or file, you grant a user (the trustee) rights 
to that directory or file.You must have the Access Control right to add a trustee. 


1 Ina file manager, right-click the Novell file or directory that you want to add a trustee to. 


2 Doone of the following: 


GNOME: Click Novell Properties. 
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* KDE: Click Actions > Novell Properties. 
3 Click the Novell Rights tab. 


4 In the tree diagram, locate the eDirectory™ user object that you want to add as a trustee, then 
click Add. 


5 Set the rights for this user by selecting the boxes under the letters on the right of the Trustees 
list. 


The following rights can be set for each trustee: 


Read: For a directory, grants the right to open files in the directory and read the contents 
or run the programs. For a file, grants the right to open and read the file. 


Write: For a directory, grants the right to open and change the contents of files in the 
directory. For a file, grants the right to open and write to the file. 


Erase: Grants the right to delete the directory or file. 


Create: For a directory, grants the right to create new files and directories in the directory. 
For a file, grants the right to create a file and to salvage a file after it has been deleted. 


Modify: Grants the right to change the attributes or name of the directory or file, but does 
not grant the right to change its contents (changing the contents requires the Write right). 


File Scan: Grants the right to view directory and file names in the file system structure, 
including the directory structure from that file to the root directory. 


Access Control: Grants the right to add and remove trustees for directories and files and 
modify their trustee assignments and Inherited Rights Filters. 


Supervisor: Grants all rights to the directory or file and any subordinate items. The 
Supervisor right can't be blocked by an Inherited Rights Filter. Users with this right can 
grant or deny other users rights to the directory or file. 


6 Click OK. 


5.4 Removing a Trustee 


When you remove a trustee of a Novell file system directory or file, you delete a user's rights to that 
directory or file. You must have the Access Control right to remove a trustee. 
1 Ina file manager, right-click the Novell file or directory whose trustee you want to remove. 
2 Doone of the following: 
* GNOME: Click Novell Properties. 
* KDE: Click Actions > Novell Properties. 
3 Click the Novell Rights tab. 
4 In the Trustees list, select the trustee you want to remove. 
5 Click Remove, then click OK. 


5.5 Combining Multiple Trustees 


As an administrator, you might need to apply the same trustee assignments to a group of selected 
files. You can combine trustee assignments by selecting the Combine multiple Trustees option on the 
Novell Rights page. 
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For example, Kim is a trustee of FILEA and FILEB. Kim has Read, File Scan, and Access Control 
rights for FILEA and Read and File Scan rights for FILEB. Nancv has Read and File Scan rights for 
FILEA. 


If you give a new user named Michael the Read, Write, and File Scan rights for both FILEA and 
FILEB and, at the same time, you want to give similar trustee rights for Kim and Nancy, you would 
select Combine Multiple Trustees. The following would then be true: 


* Kim has Read and File Scan rights to both FILEA and FILEB. Her Access Control right is lost 
because the combined rights are based on the rights given to Michael. 


* Nancy has Read and File Scan rights to both FILEA and FILEB. She has gained Read and File 
Scan rights to FILEB because the combined rights are based on the rights given to Michael. 


* Michael has Read, Write, and File Scan rights to both FILEA and FILEB. 
To combine multiple trustees: 


1 Ina file manager, select all the Novell files or directories that you want to combine rights for. 
2 Right-click the files or directories, then select one of the following: 
* GNOME: Click Novell Properties. 
* KDE: Click Actions > Novell Properties. 
3 Click the Novell Rights tab. 
4 Click Combine multiple Trustees, then click OK. 
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Securitv Considerations 


This section contains the following topics:. 


e Section 6.1, "Security Features," on page 37 

e Section 6.2, “Known Security Threats," on page 38 
* Section 6.3, "Security Characteristics," on page 38 
* Section 6.4, “New and Modified Files," on page 39 


e Section 6.5, “Other Security Considerations," on page 42 


6.1 Security Features 


The following table contains a summary of the Novell? Client™ for Linux security features: 
Table 6-1 Novell Client for Linux Security Features 


Feature Yes/No Details 


Users are authenticated Yes GUI and command line login utilities support 
authentication of NCPTM and LDAP 
connections via user authentication into 
eDirectory™. NCP protocol authentication is 
supported via RSA and LDAP authentication 
is supported via SSL and Simple Bind 


protocol. 

Servers, devices, and/or services are Yes Connections to servers are authenticated via 

authenticated user-supplied credentials. No device 
authentication is supported directly by the 
Client. 

Access to information is controlled Yes The product's Virtual File System (VFS) 


component (located in Linux Kernel space) is 
the gatekeeper for enforcement of access 
controls to Novell file systems. 


Roles are used to control access No No explicit use of roles is included in this 
product. eDirectory alias objects can be 
created, but this is not considered true role- 
based access and is not specifically supported 
or administered through this product. 


Logging and/or security auditing is done No Security logging and auditing features are not 
supplied by nor supported by this product. 


Data on the wire is encrypted by default No No wire encryption is supplied by this product. 


Data stored is encrypted No This product does not provide long-term 
storage of data. 
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Feature Ves/No Details 


Passwords, kevs, and anv other Ves Passwords and other authentication materials 
authentication materials are stored in temporarv storage are encrvpted to prevent 
encrvpted in-memorv scanners. 

Securitv is on bv default Yes There are no configuration options to enable 


or disable with the exception of packet 
signing. Packet signing is enabled by default. 


FIPS 140-2 compliant No This product currently uses the ATB 
(authentication toolbox) instead of Novell's 
NICI product. Therefore, this product is not 
FIPS 140-2 compliant because ATB itself is 
not FIPS-compliant. 


6.2 Known Security Threats 


The following section provides a list of known security threats for the Novell Client for Linux, an 
indication of how difficult it would be to exploit the threat, and what the consequences would be for 
a customer. 


Table 6-2 Known Security Threats 


Description Consequence Likelihood Difficulty 

Repetitive password cracking Intruder detection lockout Low Hard 

attempts 

“Stale” passwords Password expiration, grace login High Hard 
enforcement 

Attempted access out-of-hours or Date/Time and Location restrictions at login Medium Easy 


from unauthorized locations 


Port scanners Unsuccessful pass of Nessus scans; Medium Possible 
possible port hijacking 


Man-in-the-middle attacks NCP request sequencing, packet signing Low Hard 
Wire frame examination and Same protections as with other Novell Low Hard 
manipulation products utilizing NCP and RSA-based 

authentication 
Memory scanning for sensitive All buffers containing sensitive data Low Hard 
data (passwords) are short-term in nature and 

are zeroed and/or freed immediately after 

use. 


6.3 Security Characteristics 


e Section 6.3.1, “Identification and Authentication,” on page 39 
* Section 6.3.2, “Authorization and Access Control,” on page 39 
* Section 6.3.3, “Roles,” on page 39 

e Section 6.3.4, "Security Auditing," on page 39 
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6.3.1 Identification and Authentication 


This product uses X-Tier to authenticate users via user identitv information stored in eDirectorv and 
resource authorization and access control provided bv eDirectorv. The product takes a user name 
and password supplied directly by the user and transfers that information to X-Tier for use within its 
supported authentication mechanisms (via X-Tier's plug-in authentication module architecture). If 
configured to do so, this product will authenticate (using PAM NAM (LUM)) to eDirectorv through 
SSL and LDAP Simple Bind Protocol. 


This product does not itself authenticate to another product, svstem or service. No portion of this 
product authenticates to another. 


6.3.2 Authorization and Access Control 


This product allows the protections supplied bv eDirectorv for access control to be fullv realized for 
those resources that are contained within eDirectorv. Access to resources is protected based on user 
identitv (as stored within eDirectorv). The VFS, Daemon, and X-Tier work together to compare 
ACLs for a given file svstem path or object retrieved from eDirectorv to the identitv and session 
scope established for the identitv that owns a given connection. 


The VFS acts as a proxy to the local file system (via redirection of its local mount point) to make 
such decisions for network-based file system paths or objects. 


6.3.3 Roles 


This product does not define or manage roles. It simply makes use of roles that have already been 
defined elsewhere and treats role access privileges in the same way as any user identity. 


Because the product has a VFS module running in the kernel, it does not require root access for 
users to create mount points (as do NCPFS and other similar open source offerings to date). The 
product does not require use of SETUID for any of its operations. 


6.3.4 Security Auditing 


No security auditing is performed by this product. 


6.4 New and Modified Files 


The following sections describe the files that are added or modified during the installation of the 
Novell Client for Linux. 


e Section 6.4.1, “Configuration Files,” on page 40 

* Section 6.4.2, *PAM Login Files," on page 40 

e Section 6.4.3, “User Profile Startup Files,” on page 41 

* Section 6.4.4, 'KDE and GNOME Desktop Startup Files," on page 41 
* Section 6.4.5, "Installation Files," on page 42 
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6.4.1 Configuration Files 


Table 6-3 New and Modified Configuration Files 


File New Modified Description 
$HOME/.novell/ncl/ X Local user autologin configuration file. All fields in the 
StartupLogin.conf Novell Login dialog box (except the password) are 


stored in this file. 


$HOME/.novell/ncl/ This user configuration file specifies the drive mapping 

MapDrives.conf to run at startup. Integrated login is not required, but 
credentials must be saved or the login dialog box is 
displayed to get the password at desktop startup. 


/etc/opt/novell/ncl/ Optional global configuration file that overrides 

login.conf defaults. This file is modified only by the root user, 
normally with YaST using the Novell Client 
Configuration Wizard for the login page (click the 
Novell Tray icon, select System Settings, and start the 
Login Wizard). 


6.4.2 PAM Login Files 


Table 6-4 New and Modified PAM Login Files 


File New Modified Description 
/lib/security/ X This file queries CASA credentials, verifies if 
pam ncl autologin.so autologin is allowed, verifies the user with 


credentials, then authenticates. 


/etc/pam.d/xdm X PAM configuration file for the X Display Manager 
login. 
/etc/pam.d/gdm X PAM configuration file for the GNOME Display 


Manager login. 


/etc/pam.d/kdm X PAM configuration file for the KDE Display 
Manager login. 


/etc/pam.d/sshd X PAM configuration file for SSH login. 


A "required" authentication module is added for each of the above GUI logins. The added text is 
auth required pam ncl autologin.so, which is be added after the 
pam micasa.so module (if it exists). 


Authentication is not added for the two console login authentication files, /etc/pam.d/login 
and /etc/pam.d/sshd. This modification is done at install time and is removed at uninstall 
time. 


IMPORTANT: For the root user, no tree authentication is performed, no automatic login scripts are 
run, and no drives are mapped. Therefore, the pam ncl autologin.so module always returns 
SUCCESSFUL, having done nothing for the root user. 
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6.4.3 User Profile Startup Files 


Table 6-5 New and Modified User Profile Startup Files 


File New Modified 


Description 


This script determines if the desktop is GNOME 


/etc/profile.d/novell-ncl- X 
autologin.sh 


/opt/novell/ncl/bin/ 


or KDE, then installs (or removes) the session 
startup file (SHOME/.kde/Autostart/ 

ncl autologin.desktop or SHOME/ 
.gnome2/session-manual)for that Display 
Manager. 


This file is copied to SHOME/.kde/Autostart 


ncl autologin.desktop 


6.4.4 KDE and GNOME Desktop 


Table 6-6 New or Modified Desktop Startup Files 


File 


and runs ncl. autologin. 


Startup Files 


New Modified 


Description 


SHOME/.kde/Autostart/ X 


ncl autologin.desktop 


SHOME/.gnome2/session- X 
manual 


/opt/novell/ncl/bin/ X 
ncl autologin 


/opt/novell/ncl/bin/ 
nwlogin 


/opt/novell/ncl/bin/ X 
gnwlogin 


KDE startup for nci autologin. 


GNOME startup for ncl_autologin. 


Validates and run nwlogin or gnwlogin. 


This existing file silently authenticates and 
processes scripts. 


GUI for authentication, processing scripts, and 
saving settings. This file adds a new tab (called 
Startup) to the Novell Login dialog box which 
allows users to save their current login settings 
for use during the next system startup to 
automatically log in the user. 


When the user clicks Clear Profile on the Startup 
tab, the $HOME/.novell/ncl/ 
StartupLogin.conf file is deleted. 


When the user clicks Save Current Profile, the 
settings are used to authenticate the user (but not 
run login scripts). If authentication is successful 
(CASA stores those credentials), the current 
settings are written to StartupLogin.conf. 
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6.4.5 Installation Files 


Table 6-7 New Installation Files 


File New Modified Description 


/opt/novell/ncl/bin/ X Run from YaST to purge all profiles. 
delete login profiles 


/opt/novell/ncl/bin/ X Inserts pam ncl autologin into PAM file. 
login cfg pam 


/opt/novell/ncl/bin/ X Removes pam ncl autologin from PAM file. 
login ucfg pam 


6.5 Other Security Considerations 


* [froot is compromised, all network access could also be compromised. For example, if a 
malicious entity gets root access, it might be able to steal user credentials and authenticate to 
the network with those credentials. 
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Compiling the Novell Client Virtual 
File System Kernel Module 


If you have updated the kernel on your workstation, you must compile the Novell? Client!" Virtual 
File System Kernel Module so that it works with the updated kernel. Compiling the Novell Client 
Virtual File System Module kernel requires the following steps: 


1. Ensure that the right packages are installed on your workstation so that the kernel module can 
be compiled. 
See Section A.1, "Installing the Required Packages," on page 43. 


2. (Conditional) Install the Novell Client software so that the kernel module pieces are on the 
workstation. 


See the “Novell Client for Linux 1.2 Installation Quick Start.” 


NOTE: If you installed the Novell Client for Linux and the installation failed, you do not need 
to repeat this step. 


3. Compile the Novell Client Virtual File System Kernel Module. 


See Section A.2, “Compiling the Novell Client Virtual File System Kernel Module," on 
page 44. 


4. Restart the workstation. 


A.1 Installing the Required Packages 


If you want to use the precompiled Novell Client for Linux Virtual File System provided with the 
distribution, make sure the following packages are installed on your workstation before you install 
the Novell Client for Linux: 


* novfs-kmp-default 


* novfs-kmp-smp or novfs-kmp-bigsmp (depending on your kernel) 


If you want to compile the Novell Client for Linux Virtual File System from sources provided with 
the Novell Client for Linux 1.2, make sure the following packages are installed on your workstation 
before you install the Novell Client for Linux: 


* gcc 
* kernel-source 


* make 
To install the required packages: 
1 Launch the YaST Control Center. 
SLED 10 GNOME: Click Computer > More Applications > System > YaST. 


SUSE Linux 10.1 GNOME: Click Desktop > YaST. 
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KDE: Click the menu button > System > YaST. 

If you are not logged in as root, type the root password, then click Continue. 

Click Software in the left column, then click Software Management in the right column. 
Click Search in the Filter drop-down list. 

Type the name of the package you want to install in the Search field, then click Search. 
Select the package for installation. 


Repeat Step 5 and Step 6 for each package that you want to install. 


© Nð Oo BR CQ ND 


Click Accept to install all of the selected packages. 
VaST displays the progress of the package installation. 


9 (Conditional) If a message informs vou that other package selections have been made to 
resolve dependencies, click Continue. 


10 (Conditional) If a message prompts vou to insert a SUSE? Linux CD, put the CD in the CD 
drive, then click OK. 


11 After all the packages have been installed, click Close to close the VaST Control Center. 


A.2 Compiling the Novell Client Virtual File 
Svstem Kernel Module 
Depending on whether or not vou have a standard kernel that has been updated or a custom kernel 


that needs to have the Novell Client Virtual File Svstem Kernel Module added, the steps for 
compiling the module differ. 


* Section A.2.1, *Compiling the Novell Client Virtual File System Kernel Module After a Kernel 
Update," on page 44 


* Section A.2.2, "Compiling the Novell Client Virtual File System Kernel Module on 
Workstations Running a Custom Kernel," on page 45 


A.2.1 Compiling the Novell Client Virtual File System Kernel 
Module After a Kernel Update 


If you have updated the kernel on the workstation, you must compile the Novell Client Virtual File 
System Kernel Module so that it works with the updated kernel. 
1 Ina terminal, log in as root. 
2 Enter the following command: 
cd /opt/novell/ncl/src/novfs 
3 Enter the following command: 
./mk novfs 


The Novell Client Virtual File System Kernel Module is updated to match your updated kernel. 
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A.2.2 


Compiling the Novell Client Virtual File Svstem Kernel 


Module on Workstations Running a Custom Kernel 


If you h 
System 


ave a custom kernel on the workstation, you must compile the Novell Client Virtual File 
kernel module so that it works with the custom kernel. 


1 Ina terminal, log in as root. 


2 Unpack the /proc/config.gz file and copy the resulting config to the new name /usr/ 


SX 


c/linux/.config. 


3 Inthe /usr/src/linux directory, enter the following command: 


ma 


Ke 


TIP: You might also need to enter make -C /usr/src/linux-obj/i386/$i 


SU 


BDIRS-SPWD clean. The easiest way to do this is to copy the mk. novfs script and 


change the BUILD TYPE to "clean." 


4 Inthe /opt/novell/ncl/src/novfs directory, enter the following command: 
./m 
The Novell Client Virtual File System Module is updated to match your custom kernel. 


Compiling the Novell Client Virtual File System Kernel Module 


45 


46 Novell Client for Linux 1.2 Administration Guide 


The Novell Client for Linux 
Commands 


The Novell? Client!" for Linux provides a set of command line utilities that let vou start and stop 
the Novel Client daemon, install and uninstall the Novell Client for Linux, load the Novell Client for 
Linux tray application, list active connections for the currently logged-in user, copy files and 
directories to and from Novell file svstems, displav or modifv the attributes of files and directories 
on Novell file systems, log a user in to or out of a Novell file server or eDirectory™ tree, map a local 
file system to a remote file system on a Novell file server, and display or modify a user's trustee 
assignments or inherited rights filter for volumes, directories, or files. 


The utilities are located in the /opt/novell/ncl/bin directory, and include the following: 


* Section B.1, “Shell Commands," on page 47 
e Section B.2, “GUI Utilities,” on page 48 


B.1 Shell Commands 


Table B-1 The Novell Client for Linux Shell Commands 


Utilitv Description Svntax 
ncl tray Loads the Novell Client for ncl tray basic options Qt options 
Linux tray application and KDE options 


allows customization of the 
tray interface. 


nwconnections Lists active connections forthe nwconnections [--] [-v] [-h] 
currently logged-in user. 


nwcopy Copies files and directories to nwcopy flags -p source path -t 
and from Novell file systems. target path 


nwflag Displays or modifies the nwflag (-al-n) (-w|-e eDir 
attributes of files and object|*|- attr modifier) [-s] [- 
directories on Novell file d|-f] [--] [-v] [-h] URI1 {URI2} 
systems. (URI3) 

nwlogin Logs a user in to a Novellfile nwlogin (l-u string] l-p string] [-t 
server or an eDirectorv tree. string] l-c string] l-s string] l- 


r] [-L path] [-P path] l-2 string] 
l-3 string] l-4 string] l-5 string] 
[--] [-v] [-h] 


nwlogout Logs the user out of a Novell nwlogout {-s string|-t string} [-f] 
or eDirectory tree. [--] [-v] (l-h) 
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Utilitv Description Svntax 


map Creates a mapping (mount) map -d drive -s server -v volume -f 
from a local file system to a filespec 
remote file system on a Novell 
file server. or 


map options | parameters 
drive:-path | 
local path:-remote path 


nwrights Displays or modifies a users  nwrights flags -r *|-rights list -o 
trustee assignments or user or group object -p 
inherited rights filter for network path | 


volumes, directories, or files. 


B.2 GUI Utilities 


Table B-2 The Novell Client for Linux GUI Utilities 


Utility Description 


gnwconnections Displays the Novell Connections dialog box, which lets you see what servers and 
trees you are logged in to, refresh connections, set a specific tree as your 
primary connection, or log out of a tree or server. For more information on using 
this dialog box, see “Viewing Your Network Connections” in the Novell Client for 
Linux User Guide. 


gnwlogin Displays the Novell Login dialog box. For more information on using this dialog 
box, see “Logging In to the Network” in the Novell Client for Linux User Guide. 


gnwservers Displays a dialog box showing the servers you are logged in to 


gnwtrees Displays a dialog box showing the eDirectory trees you are logged in to. 


B.3 Using the Novell Client for Linux Man Pages 


Each of the utilities has a man page associated with it that contains information on the utility, such as 
a definition, usage, and samples. There is a known bug related to the manpath environment variable 
on both SUSE® Linux Enterprise Desktop and SUSE Linux. The ncl man utility has been 
provided for convenience until the manpath bug is resolved. You should use the ncl_man 
command (instead of the traditional man command) to view NCL-related man pages. To do this, 
enter the following in a terminal the first time you want to view a Novell Client for Linux man page: 


/opt/novell/ncl/bin/ncl man 


This modifies the manpath to allow the Novell Client man pages to be displayed. You can then 
access the man page for a specific Novell Client for Linux utility by entering the following: 


ncl man utility name 
For example: 


ncl_man ncl_tray 
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In the man pages, use the PgUp and PgDn kevs to move up and down. Use the Home and End kevs 
to move between the beginning and the end of a document. To exit a man page, press q. You can 
learn more about the man command by entering man man ina terminal window. 


You can also enter utility name --help ina terminal window to access a help page for the 
utilitv. 
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Documentation Updates 


This section contains information on documentation content changes made in this guide since the 
initial release of the Novell? Client™ for Linux. The information will help you keep current on 
updates to the documentation. 


The documentation was updated on the following dates: 


e Section C.1, “July 26, 2006," on page 51 
* Section C.2, “December 23, 2005," on page 51 


C.1 July 26, 2006 


* Removed Novell Linux Desktop 9 and SUSE? Linux 10.0 as supported platforms. 
* Added SUSE Linux Enterprise Desktop 10 and SUSE Linux 10.1 as supported platforms. 
* Added Section 4.1, “Setting Up Integrated Login,” on page 25. 


C.2 December 23, 2005 


* Page design reformatted to comply with revised Novell documentation standards. 
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